Re: [PacketFence-users] new install, no internet

[Fabrice Durand via PacketFence-users]

Hello,

go in /usr/local/pf/conf and :
cp iptables.conf.example iptables.conf

then restart iptables.

Regards

Fabrice



Le 2018-05-09 à 14:55, Dominix Public Relation via PacketFence-users a 
écrit :
Thank you Fabrice, here is my iptables. seems empty.

[root@pf-wifi ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 51M packets, 9267M bytes)
 pkts bytes target     prot opt in     out     source         
 destination

Chain FORWARD (policy ACCEPT 5523 packets, 371K bytes)
 pkts bytes target     prot opt in     out     source         
 destination

Chain OUTPUT (policy ACCEPT 51M packets, 7495M bytes)
 pkts bytes target     prot opt in     out     source         
 destination
[root@pf-wifi ~]#
[root@pf-wifi ~]#
[root@pf-wifi ~]#
[root@pf-wifi ~]#
[root@pf-wifi ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 33869 packets, 5824K bytes)
 pkts bytes target     prot opt in     out     source         
 destination

Chain INPUT (policy ACCEPT 30606 packets, 5460K bytes)
 pkts bytes target     prot opt in     out     source         
 destination

Chain OUTPUT (policy ACCEPT 232K packets, 35M bytes)
 pkts bytes target     prot opt in     out     source         
 destination

Chain POSTROUTING (policy ACCEPT 234K packets, 35M bytes)
 pkts bytes target     prot opt in     out     source         
 destination
[root@pf-wifi ~]#
[root@pf-wifi ~]#
[root@pf-wifi ~]# ipset -L
Name: parking
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16528
References: 0
Members:

Name: PF-iL2_ID1_192.168.27.0
Type: bitmap:ip
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 184
References: 0
Members:

Name: PF-iL2_ID2_192.168.27.0
Type: bitmap:ip
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 184
References: 0
Members:

Name: PF-iL2_ID3_192.168.27.0
Type: bitmap:ip
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 184
References: 0
Members:

Name: PF-iL2_ID4_192.168.27.0
Type: bitmap:ip
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 184
References: 0
Members:

Name: PF-iL2_ID5_192.168.27.0
Type: bitmap:ip
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 184
References: 0
Members:

Name: pfsession_Unreg_192.168.27.0
Type: bitmap:ip,mac
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 4272
References: 0
Members:
192.168.27.10,E0:66:78:CC:46:22
192.168.27.11,C0:D3:C0:BD:26:13
192.168.27.12,9C:E0:63:56:CC:0A
192.168.27.13,14:9F:3C:86:2A:B1
192.168.27.14,24:A2:E1:DE:9F:2C
192.168.27.15,40:B3:95:22:7A:C0
192.168.27.17,30:10:E4:20:40:8A
192.168.27.18,CC:73:14:2B:26:B6
192.168.27.20,8C:99:E6:C6:8F:26
192.168.27.21,20:08:ED:30:D4:40
192.168.27.23,AC:AF:B9:8D:E1:EE
192.168.27.27,E8:50:8B:BE:A1:68
192.168.27.30,58:1F:28:CA:A5:BB
192.168.27.31,F0:43:47:96:92:B6
192.168.27.32,2C:CB:23:12:0B:4C
192.168.27.33,AC:5F:3E:67:E2:BA
192.168.27.34,B0:E1:7E:30:0C:94
192.168.27.37,54:B1:21:D4:A9:19
192.168.27.38,08:81:BC:35:BF:A8
192.168.27.39,6C:B7:49:07:F7:E1
192.168.27.40,88:6B:6E:05:2C:A7
192.168.27.41,BC:54:51:52:47:34
192.168.27.42,40:9F:38:E2:C2:A5
192.168.27.43,A8:C8:3A:6A:D2:66
192.168.27.44,C4:9A:02:67:C9:19
192.168.27.45,34:8A:7B:26:BD:90
192.168.27.46,7C:F9:0E:EC:FB:BF
192.168.27.48,40:45:DA:C8:36:92
192.168.27.49,84:98:66:7D:63:05
192.168.27.50,88:C9:D0:F0:79:33
192.168.27.52,D4:28:D5:EC:F0:B0
192.168.27.53,D8:5B:2A:D3:21:B7
192.168.27.54,00:27:15:DD:5E:3F
192.168.27.55,00:F8:1C:E8:C1:0B
192.168.27.56,E0:99:71:9D:81:D3
192.168.27.62,5C:97:F3:7C:94:66
192.168.27.76,24:A2:E1:DC:A2:E6

Name: pfsession_Reg_192.168.27.0
Type: bitmap:ip,mac
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 4272
References: 0
Members:

Name: pfsession_Isol_192.168.27.0
Type: bitmap:ip,mac
Revision: 1
Header: range 192.168.27.0-192.168.27.255
Size in memory: 4272
References: 0
Members:

Name: pfsession_passthrough
Type: hash:ip,port
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16528
References: 0
Members:

Name: pfsession_isol_passthrough
Type: hash:ip,port
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16528
References: 0
Members:
[root@pf-wifi ~]#



this drive me to conclude that iptables has a problem...

[root@pf-wifi ~]# systemctl status packetfence-iptables -l
● packetfence-iptables.service - PacketFence Iptables configuration
   Loaded: loaded 
(/usr/lib/systemd/system/packetfence-iptables.service; enabled; vendor 
preset: disabled)
   Active: active (exited) since lun. 2018-05-07 16:37:41 -10; 1 day 
16h ago
 Main PID: 816 (code=exited, status=0/SUCCESS)
   CGroup: /packetfence.slice/packetfence-iptables.service

mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
packetfence[816]: INFO -e(816): building firewall to accept registered 
users through inline interface (pf::iptables::generate_inline_rules)
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
sudo[1852]:     root : TTY=unknown ; PWD=/ ; USER=root ; 
COMMAND=/sbin/ip route get 8.8.8.8 from 192.168.27.1
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
packetfence[816]: INFO -e(816): Adding Forward rules to allow 
connections to the OAuth2 Providers and passthrough. 
(pf::iptables::generate_passthrough_rules)
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
packetfence[816]: INFO -e(816): Adding NAT Masquerade statement. 
(pf::iptables::generate_passthrough_rules)
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
packetfence[816]: INFO -e(816): restoring iptables from 
/usr/local/pf/var/conf/iptables.conf (pf::iptables::iptables_restore)
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
perl[816]: Connected to config service successfully for namespace 
config::Pfiptables-restore v1.4.21: invalid port/service 
`%%status_port%%' specified
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
perl[816]: Error occurred at line: 30
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
perl[816]: Try `iptables-restore -h' or 'iptables-restore --help' for 
more information.
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
packetfence[816]: WARN -e(816): Problem trying to run command: LANG=C 
/sbin/iptables-restore < /usr/local/pf/var/conf/iptables.conf called 
from iptables_restore. Child exited with non-zero value 2 
(pf::util::pf_run)
mai 07 16:37:41 pf-wifi.sdec-hyperu.pf <http://pf-wifi.sdec-hyperu.pf> 
systemd[1]: Started PacketFence Iptables configuration.
Warning: packetfence-iptables.service changed on disk. Run 'systemctl 
daemon-reload' to reload units.

it look that this line make the load script fail because of the unknow 
variable %%status_port%% at line 30

...
# PacketFence Status
-A input-management-if --protocol tcp --match tcp --dport 
%%status_port%% --jump ACCEPT
# httpd.portal modstatus
...

here is the full iptables.conf

# This file is generated from a template at 
/usr/local/pf/conf/iptables.conf
# Any changes made to this file will be lost on restart

# iptables template
# This file is manipulated on PacketFence's startup before being given 
to iptables
*filter

### INPUT ###
:INPUT DROP [0:0]
# accept loopback stuff
-A INPUT --in-interface lo --jump ACCEPT
# accept anything related
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept Ping (easier troubleshooting)
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT

:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp 
--protocol tcp --dport 22 --jump ACCEPT
# HTTP and HTTPS for the portal
-A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 443 --jump 
ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport 1443 --jump 
ACCEPT
# Webservices
-A input-management-if --protocol tcp --match tcp --dport 9090 --jump 
ACCEPT
# AAA
-A input-management-if --protocol tcp --match tcp --dport 7070 --jump 
ACCEPT
# PacketFence Status
-A input-management-if --protocol tcp --match tcp --dport 
%%status_port%% --jump ACCEPT
# httpd.portal modstatus
-A input-management-if --protocol tcp --match tcp --dport 1444 --jump 
ACCEPT
# httpd.collector
-A input-management-if --protocol tcp --match tcp --dport 9292 --jump 
ACCEPT
# haproxy stats (uncomment if activating the haproxy dashboard)
#-A input-management-if --protocol tcp --match tcp --dport 1025 --jump 
ACCEPT
# GRAPHITE-WEB
-A input-management-if --protocol tcp --match tcp --dport 9000 --jump 
ACCEPT
# CARBON_CACHE
-A input-management-if --protocol tcp --match tcp --dport 2004 --jump 
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 7002 --jump 
ACCEPT

# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump 
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump 
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump 
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump 
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1815 --jump 
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1815 --jump 
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 2083 --jump 
ACCEPT
# RADIUS (eduroam virtual-server)
# eduroam integration is not configured

# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162  --jump 
ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67  --jump 
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67  --jump 
ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump 
ACCEPT
# Nessus Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 8834 --jump 
ACCEPT
# PacketFence-PKI
# -A input-management-if --protocol tcp --match tcp --dport 9393 
--jump ACCEPT
# -A input-management-if --protocol tcp --match tcp --dport 9292 
--jump ACCEPT

# VRRP
-A input-management-if -d 224.0.0.0/8 <http://224.0.0.0/8> -j ACCEPT
-A input-management-if -p vrrp -j ACCEPT
# Mysql
-A input-management-if --protocol tcp --match tcp --dport 3306 --jump 
ACCEPT

# Syslog
-A input-management-if --protocol udp --match udp --dport 514 --jump 
ACCEPT

:input-portal-if - [0:0]
-A input-portal-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT

:input-radius-if - [0:0]
-A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
# eduroam integration is not configured


:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol tcp --match tcp --dport 53  
--jump ACCEPT
-A input-internal-vlan-if --protocol udp --match udp --dport 53  
--jump ACCEPT
# DHCP
-A input-internal-vlan-if --protocol udp --match udp --dport 67  
--jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 67  
--jump ACCEPT
# HTTP (captive-portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 80  
--jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 443 
--jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 647 
--jump ACCEPT
# HTTP (parking portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 
--jump ACCEPT
-A input-internal-vlan-if --protocol tcp --destination-port 8080 
--jump ACCEPT
-A input-internal-vlan-if --protocol tcp --destination-port 3128 
--jump ACCEPT



:input-internal-isol_vlan-if - [0:0]
# DNS
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53  
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 53  
--jump ACCEPT
# DHCP
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 67  
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67  
--jump ACCEPT
# HTTP (captive-portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80  
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443 
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647 
--jump ACCEPT
# HTTP (parking portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252 
--jump ACCEPT


:input-internal-inline-if - [0:0]
# DHCP
-A input-internal-inline-if --protocol udp --match udp --dport 67  
--jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 67  
--jump ACCEPT
# DNS
# allow unregistered users and isolated users to reach it for DNAT 
purposes but prevent registered ones
-A input-internal-inline-if --protocol tcp --match tcp --dport 53  
--match mark --mark 0x3 --jump ACCEPT
-A input-internal-inline-if --protocol udp --match udp --dport 53  
--match mark --mark 0x3 --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 53  
--match mark --mark 0x2 --jump ACCEPT
-A input-internal-inline-if --protocol udp --match udp --dport 53  
--match mark --mark 0x2 --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 53  
--match mark --mark 0x1 --jump DROP
-A input-internal-inline-if --protocol udp --match udp --dport 53  
--match mark --mark 0x1 --jump DROP
# HTTP (captive-portal)
# prevent registered users from reaching it
# TODO: Must work in dispatcher and Catalyst to redirect registered 
client out of the portal
#-A input-internal-inline-if --protocol tcp --match tcp --dport 80  
--match mark --mark 0x1 --jump DROP
#-A input-internal-inline-if --protocol tcp --match tcp --dport 443 
--match mark --mark 0x1 --jump DROP
# allow everyone else behind inline interface (not registered, 
isolated, etc.)
-A input-internal-inline-if --protocol tcp --match tcp --dport 80  
--jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 443 
--jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 647 
--jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 8080  
--match mark --mark 0x3  --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 8080  
--match mark --mark 0x3  --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 8080  
--match mark --mark 0x1  --jump DROP
-A input-internal-inline-if --protocol tcp --match tcp --dport 3128  
--match mark --mark 0x3  --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 3128  
--match mark --mark 0x3  --jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 3128  
--match mark --mark 0x1  --jump DROP


:input-highavailability-if - [0:0]
#SSH
-A input-highavailability-if --match state --state NEW --match tcp 
--protocol tcp --dport 22 --jump ACCEPT
#Galera cluster
-A input-highavailability-if --protocol tcp --match tcp --dport 4444 
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 4567 
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 4568 
--jump ACCEPT
#PacketFence MariaDB Quorum server
-A input-highavailability-if --protocol tcp --match tcp --dport 7890 
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 7891 
--jump ACCEPT
# Corosync
-A input-highavailability-if --protocol udp --match udp --dport 5405 
--jump ACCEPT
-A input-highavailability-if --protocol udp --match udp --dport 5407 
--jump ACCEPT
#DRBD
-A input-highavailability-if --protocol tcp --match tcp --dport 7788 
--jump ACCEPT
# Heartbeat
-A input-highavailability-if --protocol udp --match udp --dport 694 
--jump ACCEPT
#PCS
-A input-highavailability-if --protocol tcp --match tcp --dport 2224 
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 3121 
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 21064 
--jump ACCEPT

### FORWARD ###
:FORWARD DROP [0:0]
:forward-internal-vlan-if - [0:0]
-A FORWARD -s 192.168.27.0/24 <http://192.168.27.0/24> -d 
192.168.0.0/16 <http://192.168.0.0/16> --jump REJECT
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough 
dst,dst --jump ACCEPT
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough 
src,src --jump ACCEPT


:forward-internal-isolvlan-if - [0:0]
-A forward-internal-isolvlan-if -m set --match-set 
pfsession_isol_passthrough dst,dst --jump ACCEPT
-A forward-internal-isolvlan-if -m set --match-set 
pfsession_isol_passthrough src,src --jump ACCEPT


:forward-internal-inline-if - [0:0]
-A forward-internal-inline-if --match mark --mark 0x3 -m set 
--match-set pfsession_passthrough dst,dst --jump ACCEPT
-A forward-internal-inline-if --match mark --mark 0x2 -m set 
--match-set pfsession_isol_passthrough dst,dst --jump ACCEPT
-A forward-internal-inline-if --match mark --mark 0x1 --jump ACCEPT

:OUTPUT ACCEPT [0:0]

# These will redirect to the proper chains based on conf/pf.conf's 
configuration
-A INPUT --in-interface eno2 -d 224.0.0.0/8 <http://224.0.0.0/8> -j ACCEPT
-A INPUT --in-interface eno2 -p vrrp -j ACCEPT
# DHCP Sync
-A INPUT --in-interface eno2 --protocol udp --match udp --dport 67 -j 
ACCEPT
-A INPUT --in-interface eno2 --protocol udp --match udp --dport 53 
--jump input-internal-inline-if
-A INPUT --in-interface eno2 --protocol tcp --match tcp --dport 53 
--jump input-internal-inline-if
-A INPUT --in-interface eno2 -d 192.168.27.1 --jump 
input-internal-inline-if
-A INPUT --in-interface eno2 -d 255.255.255.255 --jump 
input-internal-inline-if
-A INPUT --in-interface eno2 -d 192.168.254.113 --protocol tcp --match 
tcp --dport 443 --jump ACCEPT
-A FORWARD --in-interface eno2 --jump forward-internal-inline-if
-A INPUT --in-interface eno1 -d 224.0.0.0/8 <http://224.0.0.0/8> -j ACCEPT
-A INPUT --in-interface eno1 -p vrrp -j ACCEPT
-A INPUT --in-interface eno1 --jump input-portal-if
-A INPUT --in-interface eno1 -d 224.0.0.0/8 <http://224.0.0.0/8> -j ACCEPT
-A INPUT --in-interface eno1 -p vrrp -j ACCEPT
-A INPUT --in-interface eno1 --jump input-radius-if
-A INPUT --in-interface eno1 --jump input-management-if
-A FORWARD --in-interface eno1 --match state --state 
ESTABLISHED,RELATED --jump ACCEPT

COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
-A prerouting-int-inline-if --jump MARK --set-mark 0x3
-A prerouting-int-inline-if -m set --match-set 
pfsession_Unreg_192.168.27.0 src,src --jump MARK --set-mark 0x3
-A prerouting-int-inline-if -m set --match-set 
pfsession_Reg_192.168.27.0 src,src --jump MARK --set-mark 0x1
-A prerouting-int-inline-if -m set --match-set 
pfsession_Isol_192.168.27.0 src,src --jump MARK --set-mark 0x2
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:postrouting-int-inline-if - [0:0]
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID1_192.168.27.0 src -j CLASSIFY --set-class 100:1
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID1_192.168.27.0 dst -j CLASSIFY --set-class 1:1
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID2_192.168.27.0 src -j CLASSIFY --set-class 100:2
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID2_192.168.27.0 dst -j CLASSIFY --set-class 1:2
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID3_192.168.27.0 src -j CLASSIFY --set-class 100:3
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID3_192.168.27.0 dst -j CLASSIFY --set-class 1:3
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID4_192.168.27.0 src -j CLASSIFY --set-class 100:4
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID4_192.168.27.0 dst -j CLASSIFY --set-class 1:4
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID5_192.168.27.0 src -j CLASSIFY --set-class 100:5
-A postrouting-int-inline-if -m set --match-set 
PF-iL2_ID5_192.168.27.0 dst -j CLASSIFY --set-class 1:5

# These will redirect to the proper chains based on conf/pf.conf's 
configuration
-A PREROUTING --in-interface eno2 --jump prerouting-int-inline-if
-A POSTROUTING --out-interface eno2 --jump postrouting-int-inline-if
-A POSTROUTING --out-interface eno1 --jump postrouting-int-inline-if
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
:postrouting-inline-routed - [0:0]
:postrouting-int-inline-if - [0:0]
:prerouting-int-vlan-if - [0:0]

-A prerouting-int-inline-if --protocol udp --destination-port 53 -s 
192.168.27.0/255.255.255.-A <http://192.168.27.0/255.255.255.-A> 
prerouting-int-inline-if --protocol udp --destination-port 53 -s 
192.168.27.0/255.255.255.0 <http://192.168.27.0/255.255.255.0> --match 
mark --mark 0x2 --jump DNAT --to 192.168.27.1
-A prerouting-int-inline-if --protocol tcp --destination-port 8080 -s 
192.168.27.0/255.255.255.0 <http://192.168.27.0/255.255.255.0> --match 
mark --mark 0x3 --jump DNAT --to 192.168.27.1
-A prerouting-int-inline-if --protocol tcp --destination-port 8080 -s 
192.168.27.0/255.255.255.0 <http://192.168.27.0/255.255.255.0> --match 
mark --mark 0x2 --jump DNAT --to 192.168.27.1
-A prerouting-int-inline-if --protocol tcp --destination-port 3128 -s 
192.168.27.0/255.255.255.0 <http://192.168.27.0/255.255.255.0> --match 
mark --mark 0x3 --jump DNAT --to 192.168.27.1
-A prerouting-int-inline-if --protocol tcp --destination-port 3128 -s 
192.168.27.0/255.255.255.0 <http://192.168.27.0/255.255.255.0> --match 
mark --mark 0x2 --jump DNAT --to 192.168.27.1
-A prerouting-int-inline-if -m set --match-set pfsession_passthrough 
dst,dst --match mark --mark 0x3 --jump ACCEPT
-A prerouting-int-inline-if -m set --match-set 
pfsession_isol_passthrough dst,dst --match mark --mark 0x2 --jump ACCEPT
-A prerouting-int-inline-if --protocol tcp --destination-port 80 -s 
192.168.27.0/255.255.255.0 <http://192.168.27.0/255.255.255.0> --match 
mark --mark 0x2 --jump DNAT --to 192.168.27.1
-A prerouting-int-inline-if --protocol tcp --destination-port 443 -s 
192.168.27.0/255.255.255.0 <http://192.168.27.0/255.255.255.0> --match 
mark --mark 0x2 --jump DNAT --to 192.168.27.1
-A PREROUTING -p tcp --dport 80 -m set --match-set parking src -j 
REDIRECT --to-port 5252
-A PREROUTING -p tcp --dport 443 -m set --match-set parking src -j 
REDIRECT --to-port 5252


:OUTPUT ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's 
configuration
-A PREROUTING --in-interface eno2 --jump prerouting-int-inline-if
-A POSTROUTING --out-interface eno2 --jump postrouting-int-inline-if
-A POSTROUTING --out-interface eno1 --match mark --mark 0x3 --jump 
postrouting-int-inline-if
-A POSTROUTING --out-interface eno1 --match mark --mark 0x1 --jump 
postrouting-int-inline-if
-A POSTROUTING --out-interface eno1 --match mark --mark 0x2 --jump 
postrouting-int-inline-if


:POSTROUTING ACCEPT [0:0]

-A postrouting-int-inline-if --jump MASQUERADE


#
# Chain to enable routing instead of NAT
#
-A postrouting-inline-routed --jump ACCEPT


#
# NAT out (PAT actually)
#
# If you want to do your own thing regarding NAT like for example:
# - allowing through instead of doing NAT (make sure you have the 
proper return route)
# - traffic out on some interface other than management
# - overloading on multiple IP addresses
# Comment the next two lines and do it here on the POSTROUTING chain.
# Make sure to adjust the FORWARD rules also to allow traffic back-in.
-A POSTROUTING -s 192.168.27.0/24 <http://192.168.27.0/24> -o eno1 -j 
SNAT --to 192.168.254.113


#
# Routing for the hidden domain network
#
-A POSTROUTING -s 169.254.0.0/16 <http://169.254.0.0/16> -o eno1 -j 
SNAT --to-source 192.168.254.113

COMMIT


thank you all for your advices.




Le mer. 9 mai 2018 à 05:27, Fabrice Durand via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>> a écrit :

    Hello,

    first for email registration, do you use the server as a relay or
    do you use an external smtp server ?

    For internet access, can you paste the command:

    iptables -L -n -v

    iptables -L -n -v -t nat

    ipset -L

    Regards

    Fabrice



    Le 2018-05-09 à 05:19, Dominix Public Relation via
    PacketFence-users a écrit :
    I am setting up a gateway to provide free wifi to customers, with
    only email registration.
    the packetfence gateway is instaled on a Centos7.5 in a inline
    configuration.
    internet access is OK, machine upgrade and reach internet.
    people are ables to sign in, but then ... nothing more. after
    entering email and checking OK to the AUP they can not access the
    internet. no email is send either. But the email services are Ok,
    because I can receive alerts or orher things from the machine.

    Wifi is managed by a third party, it is an open network. DHCP is
    provided by packetfence machine in version 8.0.0. I already have
    plenty of registered smartphone but none reach the internet.

    could I have advice for were to search. it seem to be a trivial
    setting but I can not figure which one.

    thanks or your time.


    
------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org!http://sdm.link/slashdot


    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users

    
------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org!
    http://sdm.link/slashdot_______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users